1Bug Bounty Programs Paying Off for Vendors, Security Researchers
More companies are finding bug bounty programs to be an effective method of improving security. And Bugcrowd’s recent bug bounty report bears that out.
2Private Bug Bounty Programs Growing Fast
Bugcrowd operates both public and invitation-only private bug bounty programs. Over the last 30 months, Bugcrowd has found a 36.1 percent submission success rate with invitation-only programs, in contrast to an 18 percent valid bug submission rate for public programs.
3India Is the Top Bug Submission Country
India is the top source for bug report submissions, followed by the United States and the United Kingdom.
4XSS Is the Top Vulnerability Type
Bugcrowd’s community submitted multiple types of vulnerabilities, with cross-site scripting (XSS) topping the list at 17.9 percent. However, Bugcrowd identifies a whopping 67.7 percent of bug types as “other.”
5Information Leakage Bugs Often Submitted
Looking into the 67.7 percent of vulnerability types that Bugcrowd has classified as “other,” information leakage is identified as one of the most submitted types of flaws.
6Average Payment per Bug Is $200
While bug payments vary, the average reward reported by Bugcrowd in 2015 now stands at $200, which is a marginal increase from the $180 average in 2013.
7Top Payment Was $10,000
While the average bug payout is $200, the top bug reward reported by Bugcrowd was a $10,000 award paid out in the second quarter of 2014. The big payout was made for a cross-site request forgery (CSRF) vulnerability.
8Total Bug Bounty Payout to Date: $724,014.02
For the 30-month period that the report covered, Bugcrowd’s clients paid out a total of $724,014.02 to 566 different researchers.